Don't Use NSA-Influenced Code in Our Products, Security Company Warns
Which standards? The Times didn't reveal the names, but Tom's Guide and several others speculated that one of them was an algorithm called Dual_EC_DRBG, used to generate random numbers for encryption purposes.
RSA Security clearly agrees. In an emailed advisory, the computer and network security company warned its developer community not to use Dual_EC_DRBG, which is an option in many of its developer tool kits and the default selection in one of them.
To "ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual_EC_DRBG and move to a different [algorithm]," RSA wrote.
"Under no circumstances does RSA design or enable any backdoors in our products," RSA Security said in a statement on its website.
Dual_EC_DRBG is not in any of RSA Security's SecurID identification key fobs, which are commonly used to verify users logging in to corporate and government VPNs.
It should also be noted that RSA Security is different than the encryption algorithm known as RSA, which many websites use to encrypt their visitors' connections.
Dual_EC_DRBG was co-developed by the NSA. In 2006, the algorithm was published as a standard by the National Institute of Standards and Technology (NIST), a branch of the U.S. Department of Commerce that reviews and publishes standard practices for governmental organizations.
All of NIST's standards are publicly reviewed by field experts, and many nongovernmental organizations — RSA Security among them — use NIST's standards because of their high quality.
Dual_EC_DRBG passed NIST's original public review period, but in 2007, two Microsoft researchers found a "backdoor" in the algorithm, meaning that the algorithm was written in such a way that anyone with a certain passcode could predict what numbers the algorithm would generate.
"We have no way of knowing whether the NSA knows the secret numbers that break Dual_EC_DRBG," wrote security expert Bruce Schneier in a 2007 Wired op-ed, though, in the same piece, he also noted that Dual_EC_DRBG was slower than other available methods and was "in the standard only because it's been championed by the NSA."
Despite these warnings, Dual_EC_DRBG became widely adopted. NIST maintains a list of companies that currently use Dual_EC_DRBG in their products, and it includes BlackBerry, Juniper Networks and Cisco Systems.
A spokeswoman for Cisco Systems said she would "check into this."
RSA Security is the first company to come out against using a NIST-endorsed security standard, but it probably won't be the last.
NIST maintains that it does not know of any NSA-created backdoors in its standards. "NIST would not deliberately weaken a cryptographic standard," the agency said in a Sept. 10 statement on its website.
However, on Sept. 9, NIST reopened Dual_EC_DRBG for public review, and recommended that the algorithm not be used until the review process is concluded.
Understandably, many cryptographers aren't ready to take NIST's word for it.
"We'll have to re-evaluate that relationship," cryptographer Matthew Green of Johns Hopkins University wrote on his blog. "While the possibility of a backdoor in any of [NIST's] components does seem remote, trust has been violated."